FBI Confirms North Korea Behind $100 Million Harmony Hack

The FBI announced on Monday that it has concluded that the North Korean hacker organization Lazarus Group was behind it 100 million dollar hack of Harmony Protocol last June.

Over $60 million of the ETH stolen during the heist was laundered on January 13, six months after the fact. It allowed the law enforcement agency to confidently identify the Lazarus Group and APT38 – another North Korean cyber group – as the architects of the crime.

The hackers used RAILGUN, a privacy protocol, in an attempt to hide their transactions. Nevertheless, part of the funds were then frozen and recovered at the exchange when the hackers tried to exchange them for Bitcoin. Unclaimed funds were then sent to 11 Ethereum addresses.

The FBI and its investigative partners will “continue to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and weapons of mass destruction programs,” according to the announcement.

In the immediate aftermath of June’s Harmony hack, blockchain analysts linked the exploit to the Lazarus Group using a combination of chain searching and comparisons with previous hacks committed by the group. While the US government has previously been vocal about the Lazarus Group threat, however, it did not formally accuse the entity of responsibility for the Harmony hack until today.

The hack targeted a cross-chain bridge that connected Harmony, a layer-1 blockchain, to Ethereum, Bitcoin, and the Binance Chain. The strategy echoes previous attacks linked to the Lazarus Group, including a massive one $622 million hack April in the Ronin Network, an Ethereum sidechain used by games to earn crypto games Axie Infinity.

Since 2017, North Korean hacker groups including the Lazarus Group and APT38 have stolen an estimated 1.2 billion dollars worth of cryptocurrency, according to an Associated Press report.

“The FBI will continue to expose and combat the DPRK’s use of illegal activities — including cybercrime and virtual currency theft — to generate revenue for the regime,” the announcement said.

North Korea-linked cyber groups have also reportedly expanded their activities beyond hacks. At the end of December, a report claimed that the Lazarus Group also pretends to be venture capitalists, potential employers and banks.

“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in systems administration or software development/IT operations (DevOps)—on a variety of communication platforms,” ​​according to a federal cybersecurity alert issued last April. “The messages often mimic a recruiting effort and offer high-paying jobs to lure recipients into downloading cryptocurrency applications with malware.”

In response to these crypto-focused attacks, the US government has targeted coin mixing services: tools that allow users to hide the otherwise public traces of cryptocurrency transactions. In August, the Ministry of Finance became shut out Ethereum coin mixer Tornado Cash and a number of wallet addresses linked to the service, citing the use of the Lazarus Group to launder funds from previous hacks as justification for the action.

The move was much condemned in the crypto community as an illegal overreach that unnecessarily threatened users’ privacy. An ongoing litigation backed by cryptopolitics nonprofit Coin Center is challenging the ban.